People Centric Identity

His assumption seems to be that we are working with a broadly tech savy enterprise environment, the "knowledge worker".

What we are finding in our discussions with vendors around strong authentication is a almost complete failure to realise that strong
authentication is going to have to be rolled out to the masses. In
the UK this means 20M + people. In the US 100M+ people.

These people come is all shapes, sizes and abilities. When I am
presenting to our clients we are very aware that many are planning to roll out systems that will eventually need to be used by people like my mother. She will need to have to use them, not for a matter of convienience but because that is the way that the system has to work.
She is in her 70's and hardly touches the computer in the house.

In the UK this year the banks have just rolled out "chip & pin" for bank card verification. It had to consider real usability issues for the elderly, the blind, those in wheel chairs who had to be able to reach or see the key pad. As an example I recenty had to gently steer a solutions designer away from proposing a OTP Token solution for someone whose typical profile was 70 years old, diabetic and probabaly going blind!

We are moving to a world where we will have to manage risk in a more flexible manner that is able to support every person given their personal capabilities. This is becuase we are going to have to better manage risk in every transaction, face to face, over the phone and not just online transactions and not just to support the next form of
electonic gizmo. We must be aware of this as we design our
architectures and solutions.

This is a plea for PEOPLE CENTRIC Identity Management. If we fail to
consider people in their diversity, we will fail as vendors and service providers.

Richard brings up a very good point in adding accessiblity to the "convience" argument in the article. Whatever the solutions are that we come up with, we need to ensure that they are convenient to the user as the user sees it while not giving up practical security measures.

Later in the discussion, someone asked for a description of "PEOPLE CENTRIC" Identity Management. Eric Norman of the University of Wisconsin responded:

Here are some things I would list. (These are for any system, not just identity management).

It means that people can operate the controls of the system without having to know the definitions of arcane words and concepts (the things that geeks love).

It means that taking the path of least resistance leads the operator to doing the "right thing".

It means that it's difficult to make a mistake.

It means that people can understand the controls of the system and are able to predict what they will do.

It means that feedback is always provided about the current state of the system.

It means that the system operates in a manner that matches the operator's internal mental model. Note: this mental model *is not* the same as the model that the developer uses.

It means that people can operate the controls of the system without having a help desk assistant on the line.

I like much of what Eric says here... I would add that the concept of what is "right" for one user may be a "mistake" for another (there's no one right answer. I would also say that documentation should be as helpfull as possible for each supported environment -- meaning that

When I was at AOL and we were doing the initial architecture of these kinds of things we always kept in mind the following guidlines:

Out of the box, it should work for my mother

The rest of us should have a "geek page" we can go to to tweak the behavior

The common configurations should be available as settings packages (e.g. UltraParanoid, ParanoidEnough, NotParanoidAtAll :-)).

I'm sure there were other more detailed requirements, but these (especially the first) guidelines helped keep us grounded in what we were "discussing".

I'd also want to point out that this topic, although similarly named, is different than the recent user-centric identity discussions. User Centric Identity is about control of operations, People Centric Identity management is about designing solutions that work for many types of people and to make it convenient to those people.

1 comment:

Eric Norman
said...

I want to emphasize what Conor said above. The main thrust of "user-centric" is about user control of what happens to their identity information. The place where the concepts of people-centric, usability, human engineering, etc. enter the picture is that there are "controls" in th system that a user will need to operate. Metaphorically, the user will need to throw switches or turn valves as his identity information flows throughout the system. So the user needs to understand that those controls do, why they are there, what they are good for, when it is appropriate to use them, and so forth. And what I mean by understand is not understand the geeklike terms used to describe them. Although education is an important part of the deployment process, I also think that there's a lot of education that needs to be targeted at the geek and developers so that they start speaking more of the language that users understand.